Security News > 2021 > May > Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks
Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say.
Generally considered secure, VS Code extensions could expose millions of developers to malicious attacks, potentially leading to the compromise of information stored on developer machines, such as credentials, or even opening the route to further attacks.
Snyk's security researchers analyzed popular VS Code extensions that start web servers, which are typically accessible locally via a browser, and discovered that malicious actors could exploit vulnerabilities in the web server to target the developers using these extensions.
Because the input from the WebSocket client to the openExternal VS Code API method was not sanitized the extension was vulnerable to command injection exploitable by a malicious web page able to connect to the extension's local WebSocket server.
In some cases, the vulnerable VS Code extensions could have leveraged existing NPM packages to implement the desired functionality instead of using custom code - this can help avoid introducing vulnerabilities.
"What has been clear for third-party dependencies is also now clear for IDE plugins - they introduce an inherent risk to an application. They're potentially dangerous both because of their custom written code pieces and the dependencies they are built upon. What has been shown here for VS Code might be applicable to other IDEs as well," Snyk concludes.